Automatically make user local administrator on their computer through GPO?

active-directory group-policy

In our AD 2003 domain each user gets local admin permissions on their computer. Everyone else can login with their domain account as normal user.

Right now this means going to the desktop and manually adding the user as a local administrator.

Is there any way to automate this process through logon scripts or GPOs? I have found ways to use a gpo to make everyone who logs in to a computer a local admin, but really only want to give it to the primary user (or in some cases users) of the computer.

I've also seen methods that required adding a group for each computer...but really dont want to clutter AD like that.

I do have a list mapping each user to each computer name. If it matters the desktops are a mix of xp and win7.


I would hope not. That is not a very secure thing to do. I would encourage users to use a separate account for activities that require elevated permissions. We use a local account, but this could also be a domain account that has been added to the local Administrators group.

Related

Postfix - specify interface to deliver outbound mail on
Run remote command with putty
Apache HSTS exception for some virtual hosts
Running some benchmarks using ab, and tomcat starts to really slow down
Postfix Whitelist before recipient restrictions
What Do the Numbers In Parentheses Mean In My Windows DNS Debug Log?
SQL transaction log backups conflicting with full backups?
Getting hostname of the computer connected to the ssh session
How to export a VMware ESXi 5 VM into a file to restore it later?
Resize2fs at 81h and counting
Slow copying between NFS/CIFS directories on same server
With powershell get exactly the same application list as in Add/Remove programms